Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CRL Errors using externally signed CA

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 340 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      randomguy228
      last edited by stephenw10

      version effected: pfsense CE 2.5.0-RELEASE (amd64)

      Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') 
#1 /etc/inc/certs.inc(1044): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #61, false) 
#2 /etc/inc/openvpn.inc(1250): crl_update(Array) 
#3 /etc/inc/openvpn.inc(1448): openvpn_reconfigure('server', Array) 
#4 /etc/inc/openvpn.inc(1675): openvpn_restart('server', Array) 
#5 /usr/local/www/vpn_openvpn_server.php(736): openvpn_resync('server', Array) 
#6 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56 PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') 
#1 /etc/inc/certs.inc(1044): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #61, false) 
#2 /etc/inc/openvpn.inc(1250): crl_update(Array) 
#3 /etc/inc/openvpn.inc(1448): openvpn_reconfigure('server', Array) 
#4 /etc/inc/openvpn.inc(1675): openvpn_restart('server', Array) 
#5 /usr/local/www/vpn_openvpn_server.php(736): openvpn_resync('server', Array) 
#6 {main} thrown

      Receiving the above fatal error when adding a CRL to an OpenVPN Server or when attempting to revoke certificates.

      The CRL was created internally (within pfsense) using an externally signed CA cert/key (which was previously imported into pfsense).

      As a test I created a self-signed CA certificate, created a CRL using it and added it to the OpenVPN server, and do not receive any critical errors. For this test CRL, I can create and revoke certificates without error.

      So it seems the CRL on my pfsense functions properly with a self-signed CA cert/key, but not an externally signed CA Cert/key.

      The externally signed CA certificate and key includes the trust chain (intermediate and root certs) and contains the following parameters:

      Signature Digest: RSA-SHA384
KU: Certificate Sign, CRL Sign
Key Type: RSA
Key Size: 3072
      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You should test in 2.5.2. However it looks like this known issue: https://redmine.pfsense.org/issues/9889

        Also see: https://redmine.pfsense.org/issues/12327

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.